OpenSSO Multiple Authentication Attributes
Using OpenSSO 8u2p3 Build 6 and Sun DS 7 on Red Hat. Using LDAP Auth Service.
I would like to let users choose from 2 different att values as their login i.e. uid or badge number; UID is the RDN of all user DNs. I go to Authentication | Module Instances and select the prevuiously configured LDAP module. I add the badge number attribute to "Attributes to Search for a User to be Authenticated" and Save.
Does not allow login with the badge number attribute. When I look in the DS access log, I only see a search using the uid as the filter.
Is there some other setting that I am missing?
Thanks!
First of all, you would need to have to restart OpenSSO in order for this kind of change to take effect. Secondly, you would need to create two LDAP authentication modules, one with the uid and one with the empid. You cannot use the same LDAP auth module for both.
Similar Messages
-
Multiple authentication sources with the same category
Quote from portal help:
"Multiple authentication sources can use the same category. However, because the prefix is prepended to the user and group names, you need to be certain that the domains involved do not have different users or groups with the same name. That is, if a LizaR user exists on one domain, and a LizaR user exists on another domain, they must be the same user because only one user will be created."
Fine, let's say I am "certain that the domains involved do not have different users or groups with the same name".
But there is other concern I have here. I want to know how portal will RECOGNIZE which authentication source to use?
Let's say I have 2 auth sources AS1 and AS2 with the same category MyAuth. AS1 use WS1 to authenticate against LDAP1 and AS2 use WS2 to authenticate against LDAP2.
Now, I have a user - Dmitry. I am trying to login into portal and I selected AS1 to do actual authentication. My question is how portal will CHOOSE which auth source to use because all portal knows about me is <MyAuth\Dmitry> that is came from portal login screen? Both auth sources match this pattern so seems like portal may choose any of them.
Does it mean that portal will try to authenticate again AS1 and if this attempt failed then you AS2?
I didn't find any explanation in portal documentation.
Thank you.
Edited by Bryazgin at 12/12/2007 10:42 AMYes, it seems you are right. As soon as portal have found CORRECT user there is no issue anymore because user is bind to unique auth source that actually has been used to created this user.
I think my main confusion come from the fact that having <Category> and <UserName> is not enough to UNIQUE identify user in portal as soon as <Category> can be the SAME for different auth sources.
Let's have you have user created by AS1. According API this user created by this AS1 will have 4 different names, like sUniqueName, sAuthenticationName, sLoginName and sDisplayName. But portal is going to search user in portal database BASED on information that is available in login form - <Category> and <User Name>. At this point portal has no idea about sUniqueName and all this things.
Now if there were 2 users in database that have been created by 2 different auth sources with the same <category> and <User Name> then I don't understand how portal will figured out which user to choose from. I guess <Category> value somehow MUST participate in sUniqueName value. <Category> has to be involve in process of finding user in database. In this scenario 2 users will be retrieved from database and what is important these 2 users are different, they have been created by different auth sources. Now question became which user is CORRECT one?
Edited by Bryazgin at 12/12/2007 1:34 PM -
Error: Set type Z contains multiple-value attributes
Hi forum,
I have a problem when i try to assign a set type with the same value but diferent name on another set type to the same product category.
This is the detail of the error but i dont know where i have to set this indicator:
If you set this indicator for a particular hierarchy, all categories and set types in this hierarchy are created in the PME.
This gives you the following extended maintenance options at category level:
You can assign set types with multiple-value attributes
You can restrict value ranges and maintain default values for attributes of customer set types.
Any sugerence about this?
Regards and thanks in advance,
MonHi Nelson,
I create two set types, the description is not the problem. I have discover that when i try to assign these attributes in the same set type or in other appears this error.
The set types have the same values. For example:
zcountry1. Values: sp - spain. fr - france.
zcountry2. Values: sp - spain. fr - france.
When i try to configurate the comm_hierarchy in my category appears this error:
Set type zcountry2 contains multiple-value attributes.
Diagnosis
The set type ZGAME5 contains multiple-value attributes. It cannot be assigned to the category as extended maintenance has not been activated.
Procedure
Multiple-value attributes are stored in the PME. If you want to use the set type ZGAME5, you must set the Extended Maintenance Options indicator for the hierarchy.
Extended Maintenance Is Possible for the Hierarchy
Definition
If you set this indicator for a particular hierarchy, all categories and set types in this hierarchy are created in the PME.
This gives you the following extended maintenance options at category level:
You can assign set types with multiple-value attributes
You can restrict value ranges and maintain default values for attributes of customer set types.
Where is this indicator¿? in R3?
So, these are the steps...can anybody help to me?
Regards and thanks in advance. -
How to extract full 20 bytes messageDigest from authenticated attributes
I�m having problems with message digest calculation.
Why in authenticated attributes the message digest field shows only the first 5 octets?
messageDigest = OCTET STRING = 20 bytes: E3:8A:22:3D:7C...
How I can extract the whole 20 bytes of message digest from authenticated attributes?
Please, help.Thanks Nico,
I think it will results data like this:
100 10 Ten 11
200 20 Twenty 12
300 30 Thirty 13
etc
and not the expected:
100 10 Ten 11
100 10 Ten 12
100 20 Twenty 21
etc
But it inspired me to solve this by adding key expression in each source table (B & C) to be joined to table A with this formula:
100+TRUNC(INGRP1.COLB1,-2)
Regards
Prat -
Multiple authentication in One WCF Service
Hello,
I need to use some authentication in my WCF Service, could you please if it is possible to use multiple authentication in One WCF Service? If it is possible, how to implement it.
Thank you.Hi helloGoodman,
I wonder if you mean that you want to use multiple authentication in One WCF Service endpoint, if so in WCF 4.5, it is supported to use multiple authentication in a single endpoint, for more information,
please try to refer to the following articles:
#Using Multiple Authentication Schemes with WCF:
https://msdn.microsoft.com/en-us/library/hh556235(v=vs.110).aspx .
http://blogs.msdn.com/b/james_osbornes_blog/archive/2011/11/04/2-auth-modes-on-1-endpoint-using-multiple-authentication-schemes-with-serviceauthorizationmanager.aspx .
If you mean that you want to use multiple authentication in One WCF Service not in a single endpoint, then I will recommand you use multiple endpoints and in each endpoint you can use the independent authentication mode which you want.
Best Regards,
Amy Peng
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.Yes, that is correct. You can set acs to use both radius and tacacs.
For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
You need to set up tacacs commands on WLC along with radius commands.
Regards,
~JG
Please rate helpful posts -
Determining uniqueness in a multiple value attribute
Are matching rules used in determining whether or not two values in a multiple value attribute are duplicates?
I have an attribute with EQUALITY caseExactMatch as a matching rule, but I can't add two values like:
xxx/AAA
XXX/AAA
I would think that the matching rule would be applied and the two values would be determined to be unique.
If matching rules are not applied when values are added, why not?
Note: IBM corrected this problem in one of their releases.Sorry for the late response. It looks like this is possible without using a matching rule. In DSCC, create an attribute with type IA5String.
$ ldapsearch -p 1111 -D 'cn=directory manager' -w password -b cn=schema -T cn=* | grep -wi csstring2
attributeTypes: ( csstring2-oid NAME 'csstring2' DESC 'ia5string' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
objectClasses: ( customoc-oid NAME 'customoc' DESC 'testing csstring and csstring2' SUP top STRUCTURAL MAY ( csstring2 $ csstring ) X-ORIGIN 'user defined' )
$ ldapsearch -p 1111 -D 'cn=directory manager' -w password -b dc=sun,dc=com uid=a csstring2
version: 1
dn: uid=a,dc=sun,dc=com
csstring2: AAAA
csstring2: aaaa
csstring2: AAAA/qqqqqqqqq
csstring2: AAAA/qqqqqQqQq -
Authenticated Attributes in Authenticode signing
Hi,
First, I hope this is the correct forum for this question... :-)
I'm developing a simple application to sign exe files with a digital signature programmatically, using the Cryptography's SignerSignEx2() function (using the Ex2, since I need the files to be time stamped as well, but the issue is the same with SignerSignEx()).
Everything works fine when simply signing with a time stamp, SignerSignEx2() finishes successfully, and file is correctly signed and time stamped.
But, I'm unable to add any authenticated attributes to the certificate.
My code looks something like this:
CRYPT_ATTR_BLOB val1;
val1.cbData = 12;
val1.pbData = (BYTE*) "hello there!";
CRYPT_ATTRIBUTE* catt = new CRYPT_ATTRIBUTE[1];
catt[0].pszObjId = "1.3.6.1.4.1.311.2.1.12";
catt[0].cValue = 1;
catt[0].rgValue = &val1;
CRYPT_ATTRIBUTES catts;
catts.cAttr = 1;
catts.rgAttr = catt;
SIGNER_SIGNATURE_INFO signerSignatureInfo;
signerSignatureInfo.algidHash = CALG_SHA1;
signerSignatureInfo.dwAttrChoice = 0;
signerSignatureInfo.pAttrAuthcode = NULL;
signerSignatureInfo.psAuthenticated = &catts;
signerSignatureInfo.psUnauthenticated = NULL;
When I add the authenticated attributes like this, SignerSignEx2() fails with 0x80093102.
What steps am I missing?
Any advice is very much welcome!Hi,
As for the SignTool.exe, I suggest to post it in the MSDN forum:
http://social.msdn.microsoft.com/Forums/en-US/home
Regards
Wade Liu
TechNet Community Support -
Will OBIEE supports multiple authentication
Hi All,
Does OBIEE 11.1.1.5.0 supports multiple authentication, at present in my environment we have configured LDAP, where a number users and groups are accessing obiee, we do not have some 3000 non obiee users, for these users also i have to send delivers. So my question how can i achieve. At present i am able to send delivers to obiee users.
Please provide information on this
Thanks
sreekanthHi,
Yes it supports multiple authentication.
For more refer,
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABDCJBH
Thanks
Deva -
Multiple LOV attributes in different popups.
Hello,
I am using JDeveloper 11.1.1.3. In my page i have several buttons that open different popups. In every popup, i have created a 'select one choice' from my VO with its corresponding table (the view's table). This is mainly to implement a customized search page. However, since all attributes are linked to the same VO every time i run my program and enter a popup, the same value of the 'select one choice' attribute is seen in all other popups. Meaning, if the first popup has the "File Name" attribute and the second has "File Number", both show "File Name" or vice versa (depending on which popup i used first! I tried setting partial triggers on the SOC to the buttons, but this didn't work. Can this be fixed without creating multiple VOs?
Thanks,
Mohamed.Hello Timo,
Yes each soc is based on the same vo. Like you said it's taking the id the same for every soc i'm using. A sample code for two popups is the following:
<af:popup id="popup1" contentDelivery="immediate"
binding="#{popupBean.tablePopup2}" autoCancel="disabled">
<af:dialog id="dialog2" title="Filter By File Number"
type="none">
<af:selectOneChoice value="#{bindings.LOVReference1.inputValue}"
label="#{bindings.LOVReference1.label}"
required="#{bindings.LOVReference1.hints.mandatory}"
shortDesc="#{bindings.LOVReference1.hints.tooltip}"
id="soc2"
contentStyle="width:318px"
autoSubmit="true">
<f:selectItems value="#{bindings.LOVReference1.items}"
id="si2"/>
</af:selectOneChoice>
<af:spacer width="10" height="10" id="s12"/>
<af:table value="#{bindings.SearchAC21.collectionModel}"
var="row"
rows="#{bindings.SearchAC21.rangeSize}"
emptyText="#{bindings.SearchAC21.viewable ? 'No data to display.' : 'Access Denied.'}"
fetchSize="#{bindings.SearchAC21.rangeSize}"
rowBandingInterval="0"
selectedRowKeys="#{bindings.SearchAC21.collectionModel.selectedRow}"
selectionListener="#{bindings.SearchAC21.collectionModel.makeCurrent}"
rowSelection="single" id="t4"
styleClass="AFStretchWidth">
<af:column sortProperty="Filename" sortable="false"
headerText="#{bindings.SearchAC21.hints.Filename.label}"
id="c23">
<af:outputText value="#{row.Filename}" id="ot22"/>
</af:column>
<af:column sortProperty="Nbr" sortable="false"
headerText="#{bindings.SearchAC21.hints.Nbr.label}"
id="c19">
<af:outputText value="#{row.Nbr}" id="ot23">
<af:convertNumber groupingUsed="false"
pattern="#{bindings.SearchAC21.hints.Nbr.format}"/>
</af:outputText>
</af:column>
<af:column sortProperty="Issuedate" sortable="false"
headerText="#{bindings.SearchAC21.hints.Issuedate.label}"
id="c20">
<af:outputText value="#{row.Issuedate}" id="ot24">
<af:convertDateTime pattern="#{bindings.SearchAC21.hints.Issuedate.format}"/>
</af:outputText>
</af:column>
<af:column sortProperty="ReferenceNbr"
sortable="false"
headerText="#{bindings.SearchAC21.hints.ReferenceNbr.label}"
id="c21">
<af:outputText value="#{row.ReferenceNbr}"
id="ot21"/>
</af:column>
<af:column sortProperty="Signature" sortable="false"
headerText="#{bindings.SearchAC21.hints.Signature.label}"
id="c22">
<af:outputText value="#{row.Signature}"
id="ot20"/>
</af:column>
<af:column sortProperty="Subject" sortable="false"
headerText="#{bindings.SearchAC21.hints.Subject.label}"
id="c24">
<af:outputText value="#{row.Subject}" id="ot19"/>
</af:column>
</af:table>
<af:spacer width="10" height="25" id="spacer124"/>
</af:dialog>
</af:popup>
<af:popup id="popup2" contentDelivery="immediate"
binding="#{popupBean.tablePopup3}">
<af:dialog id="dialog3"
title="Filter By Reference Number" type="none">
<af:selectOneChoice value="#{bindings.LOVReference1.inputValue}"
label="#{bindings.LOVReference1.label}"
required="#{bindings.LOVReference1.hints.mandatory}"
shortDesc="#{bindings.LOVReference1.hints.tooltip}"
id="soc1" autoSubmit="true"
contentStyle="width:318px">
<f:selectItems value="#{bindings.LOVReference1.items}"
id="si1"/>
</af:selectOneChoice>
<af:spacer width="10" height="10" id="s13"/>
<af:table value="#{bindings.SearchAC2.collectionModel}"
var="row"
rows="#{bindings.SearchAC2.rangeSize}"
emptyText="#{bindings.SearchAC2.viewable ? 'No data to display.' : 'Access Denied.'}"
fetchSize="#{bindings.SearchAC2.rangeSize}"
rowBandingInterval="0"
selectedRowKeys="#{bindings.SearchAC2.collectionModel.selectedRow}"
selectionListener="#{bindings.SearchAC2.collectionModel.makeCurrent}"
rowSelection="single" id="t3"
styleClass="AFStretchWidth"
partialTriggers="::soc1">
<af:column sortProperty="Filename" sortable="false"
headerText="#{bindings.SearchAC2.hints.Filename.label}"
id="c14">
<af:outputText value="#{row.Filename}" id="ot14"/>
</af:column>
<af:column sortProperty="Nbr" sortable="false"
headerText="#{bindings.SearchAC2.hints.Nbr.label}"
id="c13">
<af:outputText value="#{row.Nbr}" id="ot18">
<af:convertNumber groupingUsed="false"
pattern="#{bindings.SearchAC2.hints.Nbr.format}"/>
</af:outputText>
</af:column>
<af:column sortProperty="Issuedate" sortable="false"
headerText="#{bindings.SearchAC2.hints.Issuedate.label}"
id="c15">
<af:outputText value="#{row.Issuedate}" id="ot13">
<af:convertDateTime pattern="#{bindings.SearchAC2.hints.Issuedate.format}"/>
</af:outputText>
</af:column>
<af:column sortProperty="ReferenceNbr"
sortable="false"
headerText="#{bindings.SearchAC2.hints.ReferenceNbr.label}"
id="c17">
<af:outputText value="#{row.ReferenceNbr}"
id="ot16"/>
</af:column>
<af:column sortProperty="Signature" sortable="false"
headerText="#{bindings.SearchAC2.hints.Signature.label}"
id="c18">
<af:outputText value="#{row.Signature}"
id="ot17"/>
</af:column>
<af:column sortProperty="Subject" sortable="false"
headerText="#{bindings.SearchAC2.hints.Subject.label}"
id="c16">
<af:outputText value="#{row.Subject}" id="ot15"/>
</af:column>
</af:table>
</af:dialog>
</af:popup>The value is always taken:
<af:selectOneChoice value="#{bindings.LOVReference1.inputValue}{code}
I found a workaround which is to add multiple VOs in my application module and use every one to a different attribute. But, i don't find this solution effective!
Thanks,
Mohamed. -
Price Matrix - Multiple Product Attributes
Hi, I need to set prices for 1 product based on combination of selected multiple attributes. How can I do this?
Product A
Material
Size
Price
material 1
s
10
m
12
l
15
material 2
s
20
m
25
l
30
xl
35
xxl
63
material 3
l
80
xl
100For more information on inventory control and setting product inventory for attributes, please refer to the following article : http://helpx.adobe.com/business-catalyst/partner/product-inventory.html
Cheers,
Aishvarya Raj Rastogi -
802.1x multiple-authentication issue
Hey,
I'm configuring 802.1x multiple authenticatino with C3560G.
Without any timer changes, user's mac address is registered by static on mac address table.
The issue is that if authenticated user moves to non-802.1x port, this user can't access network due to static mac entry.
If I set periodic reauthentication up for solve this, PCs which is connected to 802.1x port got EAP packets periodically, then users on those PC should have msg "local areal connection is connected" on Windows taskbar. I got a tons of this complaints.
What else I can do in order to clear this situaltion?Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
Multiplt Description should be set for multiple Transient Attributes
Hi!!
I am using jdeveloper 11.1.1.5
I had created a VO such as BusEntityVO in this i had an attribute such as City,State,Country I had also created an transient attribute such as citydesc,countrydesc,statedesc.,
I need to create an LOV for City Attribute so that while my user clicks the LOV
these values should be set
City , Citydesc ,State, StateDesc,Country, CountryDesc
I had created and VO using the following querry
select city,cityname1,state,statename1,country,countryname1 from cities,states,countries where city_state_id = state_id and state_ctry_id = cntry_id
In my List of Values i had done the following by using reference attributes
My Scenario i need to set the description corresponding to city,state,countryHi,
Have you tried creating the view object based on multiple entities and use the list's data source entities as reference?
Say for ex. If you have a person table with countryID, stateID and cityID and the corresponding tables has the description (say country table having countryID and countryDesc), try creating a VO based on PersonEO, CountryEO etc and keep only the PersonEO as updatable and others as reference?
http://docs.oracle.com/cd/E21043_01/web.1111/b31974/bcadvvo.htm#CEGCAJCI
-Arun -
OIM with multiple authentication source
Dear All,
Can OIM authenticate from Active Directory and Oracle Internet Directory?
My customer require that :
1. Permanent Employee will be authenticated using Active Directory.
2. Non-Permanent Employee will be authenticated using Oracle Internet Directory.
Can i do this with or without Oracle Access Manager?
Thank you.Hi Kishore,
We have tried configure OVD as authentication source with OID and OVD as the directory. We found another issue. In the AD, the Username Attribute (equals to OIM's User Login) is sAMAccountName, but in the OID, there is no sAMAccountName. We can use CN, UID, and orclsamaccountname as Username Attribute.
How can we map the username attribute in the OVD so we can put the username attribute in the OAM configuration?
Need help, please share your idea and experience.
Thank you,
-heri- -
G6: Consolidating Multiple Authentication Sources
Hello everyone!
When our development environment was setup an Authentication Source was created to go against 1 of the 4 containers in our Active Directory. The containers correspond to different regions of our organization (North, South, East West). At the time we just wanted to test the North people so we set the OU to that container.
This past week I wanted to expand our user base to include the 3 other containers. Unsure of the exact procedure to do this, I copied the original AuthSource and created 3 new ones. The users were successfully pulled in, however at the login screen there are now 5 authentication sources (Plumtree Users, North, South, East, West). I realize now that a mistaken was made from the start in pulling from a container rather than the root, or in my second step of creating new sources rather than manipulating the original. (chalk it up to a learning curve!)
The Authentication Sources are tied directly to the users that they have loaded and can't be deleted unless the associated users/groups are "removed".
Would I be correct in assuming that the only way to consolidate our login Authentication Sources would be to delete all of our users followed by all of the Auth Sources and then create a single source to query the root? Is there any way to change the users Auth Source?
Are there was any other "best practices" or pitfalls that I should be aware of? Especially things that can't be modified after the initial import as in this case?
Thanks for any help,
Geoff
Geoff Garcia
Producer, Enterprise Portal
March of Dimes National Office
1275 Mamaroneck Ave.
White Plains, NY 10605
914 997.4275 (Office)
908 531.6364 (Cell)
[email protected]
Improving the health of babies by preventing birth defects, premature birth, and infant mortalityI would do this:
Delete the "new" (South, West, East) users, groups, then delete the corresponding authentication sources
Modify the "original" (North) authentication source's User Query Base (and Query Filter if necessary) Rename the authentication source if you like. Do not change the User Unique Name attribute.
Sync the original authentication souce. This should just add the users from the modifed root, and assuming that the original users are still included in the modified base and query, they should just stay right there.
Maybe you are looking for
-
1. This happens at least once a day, and sometimes multiple times. Today it's happened twice, thus far. My home page is FoxNews.com and if I leave it up overnight or for longer periods during the day firefox doesn't allow the refresh of the home page
-
Script will create database, 3 database objects and publish. The error is due to the generation script to create the conflict tables that is not stripping out default constraints that reference a UDF. As you can see below, the failure is on the gen
-
How to Transport VC Content from NetWeaver 7.0 to NetWeaver 7.4
Hi I am following the wiki: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c084eeac-b97a-2c10-e8b0-a27b5608b5d2?overridelayout=true http://wiki.scn.sap.com/wiki/display/BOBJ/BI4+-+NW+Java+WAS+7.3+EP+and+BI4+portal+applications?ori
-
hi how to update the transparent table by using the abap coding???? urgent <b><REMOVED BY MODERATOR></b> Message was edited by: Alvaro Tejada Galindo
-
Hi All, My requirement is souce field format(MM/dd/YY) convert it to target field format(dd-MM-yyyy). I used Date Trans function to achieve the same. The problem is some times the source field may not contain any value. So, I tried exists function so